By Erno Doorenspleet, Executive Security Advisor, IBM Security Benelux.
Standing within close-up viewing distance of an expensive art work, without anything coming between you and the experience. This is how art lovers in the Louvre are allowed to admire the Mona Lisa. And yet, the painting is tightly secured. You just don’t see the security measures. That same approach to security is necessary to enable the new generation of knowledge workers to work at any hour from any location. Not by placing the Mona Lisa in a box, but by creating ICT security that performs its function invisibly. This is now possible thanks to big data and analytics.
Security used to be simple. You hung a padlock on the door and no one came in. This is how we traditionally safeguarded our possessions. We do the same with our valuable data online. To protect this data, most organizations have implemented various levels of security: first the physical barriers provided by detection gates and badges, then at the workplace via user IDs, passwords, security keys and all sorts of security software. Frequently the most important business data can only be accessed from fixed office PCs that are bound by all sorts of internet restrictions.
The company doesn’t permit that
And that while a generation is emerging that is averse to such security. What do you mean I can’t access my work from McDonald’s on my Ipad? Anyone who visits a university these days and sees how the talent of the future works, with all their tools in the cloud, is amazed by the ‘flow’ in which they perform their work, at all hours and from any location. Using this work method, these young people are enormously productive and creative. But when these talents enter the business arena, they are confronted with a different world. The company doesn’t permit this? Then we’ll just pop it onto the cloud ourselves. But this just creates new security risks.
Current thinking regarding security is often still governed by the reflex to forbid activities and ‘seal off’ information. Forbidding activities because employees are not allowed to do certain things for security reasons. And sealing off information because we want to be sure that commercial secrets are kept within the company. In that sense, security will always be an arms race. If you build higher walls, the enemy comes up with a longer ladder. If you dig a moat around your fortress, he invents gunpowder. Attempting to further seal off valuable information is thus a logical reflex. But if you want to attract and keep young, talented people, you must use a different approach because if you simply keep on forbidding activities and locking information away, you just block the creative flow of the new generation of knowledge workers.
A fort or the Louvre?
Let’s be clear. The need for security has not decreased. The number of security incidents increased last year. The criminal organizations that attack us are smart. They are organized like a company and employ brilliant people. The only difference is that these people have chosen a ‘different’ career. The question is how do you enter the battle? If we genuinely want to make the new work possible, we must stop viewing our organizations as forts. Instead, we can be inspired by a museum. Once inside the Louvre, you are free to wander around as you wish. You can view the Mona Lisa and even get quite close, without anything coming between you and the experience.
And yet, the Mona Lisa is tightly secured. You just don’t notice the security. Cameras keep an eye on restless visitors. Invisible laser beams set off an alarm if you let even a single finger get too close to the painting. If someone moves to harm the painting, guards immediately pour out of a secret door. This is how we must approach online security, as well. The security measures must be there, but the user does not have to experience their presence. In other words: as the party ensuring security, don’t constantly say no; be an enabler instead.
Detecting suspicious patterns
The good thing is – this is all possible. The basic principle is a new view of security: not only preventing threats of which you are already aware, but using ‘big data’ and analytics to detect suspicious patterns and deviant behavior. This enables us to move toward security that works at three levels: prevention, detection and response. Thanks to this three-stage rocket, we can let each employee do his or her work and only intervene when such intervention is absolutely necessary.
In the first prevention layer, analytics solutions can help us because - based on all the big data regarding this that is available - they know precisely how a component should behave. On the other hand, these solutions can quickly detect any deviations. This makes it possible to implement specifically designed measures before the actual danger has manifested itself, frequently without the user even being aware of these measures. As a supplement to this, personal, secure cloud solutions can provide an answer for the public file sharing services that are now so popular.
Detecting irregular behavior
We feed the detection layer with other big data: for example data regarding the traffic between servers and PCs. It quickly becomes obvious to the analytics software when hundreds of login attempts are made one after the other or if, at three o’clock in the morning, data is being sent to a country in which the company does not do business. Information about botnets, infected machines, spammers and phishers - the so-called security intelligence - is entered in the system.
Finally, one must respond quickly and adequately. In the past, we frequently saw attacks coming, but could not intervene. Or we had to lock down all systems for two days in order to search for the leak. Now we can take specifically designed measures, so that employees can continue to work – even on the iPad from McDonald’s - and customers can continue to do business online. Moreover, in the event of a leak or another security incident, we can more quickly conduct a forensic study to determine the origin and cause of the leak, so that we can structurally close any holes.
Who has to implement this change? ICT security is the responsibility of the Chief information security officer. Many Chief information officers have a background in the ICT world and have been steeped in the old security mentality for many years. The urge to block is a part of this to security mentality - and that is the comfort zone out of which these chief information officers must now step. This must be done in interplay with the other disciplines within the organization, since ICT security requires an integral approach. With human resources (HR), with process management, controlled by the risk manager, who increasingly includes ICT security as part of his total image of the prevailing risks.
And this is a good development, because in the new online world ICT security must be a normal part of the daily operational management. This does not guarantee that no damage will occur, but it is a best practice. Risk officers and chief information officers can work hand in hand with their colleagues in the organization to move toward the new ‘enabling’ security mentality. So that the newest generation of knowledge workers can – as it were – stand right next to the Mona Lisa.
Publié le 02 octobre 2015